1. Field of the Invention
The present invention relates generally to computer networking and computer software.
2. Description of the Background Art
Virus throttling is a relatively new technique to contain the damage caused by fast-spreading worms and viruses. This technique is described in “Throttling Viruses: Restricting propagation to defeat malicious mobile code,” by Matthew M. Williamson, HP Laboratories, HPL-2002-172, Hewlett-Packard Company, 2002 (hereinafter “the HP Labs report”).
Rather than attempting to prevent a computing machine from becoming infected, virus throttling inhibits the spreading of the worm or virus from an infected machine. This reduces damage because the worm or virus is able to spread less quickly, and this also reduces the network traffic caused by such worms and viruses.
Virus throttling is particularly effective against fast-spreading worms or viruses, where signature-based approaches can be weak. A signature-based anti-virus approach may be thought of as a race between the virus and the virus signature. A vulnerable machine will be infected if the virus reaches it before the signature does, but it won't be infected if the signature reaches it first. Unfortunately, not only do modern viruses and worms typically spread quickly, but they also have a head start in the race as the result of the time it takes to generate the virus signature. In the case of fast-spreading viruses and worms, besides the infected machines being a problem, the network loading caused by the additional traffic generated by the virus can cause problems for other users of the network, not just for those users with infected machines.
Virus throttling is based on controlling an infected machine's network behavior, and so does not rely on details of the specific virus. In other words, a signature is not needed to implement virus throttling. Although virus throttling does not prevent infection in the first place, it helps to contain damage by restricting the spread of the virus. With such throttling, a virus or worm outbreak will grow less rapidly, and the network loading will be reduced. Further, by damping down the spread of the virus or worm, the throttling buys time for signature-based solutions to reach machines before the virus or worm.
Virus throttling relies on the difference in network behavior between a normal (uninfected) machine and an infected machine. A fundamental behavior of a virus is its replication and spreading to as many different machines as possible. For example, the Nimda worm typically makes about 300 to 400 connections per second and the SQLSlammer worm sends about 850 packets per second, both probing for vulnerable machines. Similarly, many email viruses send mail to all the addresses they can find. In contrast, uninfected machines do not normally exhibit this kind of behavior. Instead, normal machines tend to contact other machines at a much lower rate. In addition, normal machines also tend to contact the same machines repeatedly. The rate of connections to new machines from a normal machine is typically on the order of one connection per second for TCP/UDP connections and on the order of once every ten minutes for email.
A virus throttle acts as a rate limiter on interactions with new machines. The “interactions” may include, for example, the initiation of a TCP connection, or the sending of a UDP packet or email. A machine may be considered “new” if it has a different destination address compared to other recently contacted machines. The throttle serves to delay (not drop) those interactions with new machines that occur at a higher rate than that allowed by the throttling device. If a virus attempts to scan for vulnerable machines at a high rate (for example, 400 connections per second), the throttle can limit this to a much slower rate (for example, one connection per second). This will slow down the rate at which the virus can spread.
If the virus is attempting hundreds of new connections every second, and only one is being allowed, then the backlog of delayed connections will grow rapidly. It turns out that the length of this backlog is a reasonable indicator that a virus has infected the system. If such an infection is so indicated, then more drastic action may be taken (for instance, stopping the networking and alerting the network administrator). Thus, the throttle can slow down viruses until the viruses are detected, at which point further propagation may be stopped with further action. For rapidly spreading viruses, this process may take less than a second.
FIG. 1 is a schematic diagram depicting basic components of a virus throttle system 100. The throttle system 100 may be thought of as a rate limiter on connections to new hosts. Whenever a request 102 is made, the throttle system 100 checks to see whether the request is to a new host. This is done by comparing the destination of the request 102 with a list or “working set” 104 of recent connections. The length of this list (i.e. the number recent connections to unique hosts in the working set) may be varied to alter the amount of throttling applied by the system 100. For example, if the working set 104 included only one recent connection, then all requests other than consecutive connections to the same host will be considered as a connection to a “new” host.
If the host is considered as not new, then the request 102 is processed 106 normally. However, if the host is considered as new, then the request 102 is added to a delay queue 108 to await processing. The rate limiter 110 periodically pops a request off the delay queue 108 for processing 106. The periodicity may be determined by the expiration of a timeout as indicated by a clock 112. The rate limiter 110 not only releases the request at the head of the queue for processing 106, but it also releases any other requests in the queue to the same destination. In addition, the working set 104 is updated by removing a host from the working set and replacing it with the new destination.
As described above, the throttle system 100 implements a rate limit and delays new connections made at a higher rate than allowed. Because the new connections are delayed, rather than being dropped, if new connections are requested at a very high rate, the number of requests in the delay queue 108 will mount up quickly. Hence, a queue length detector 114 monitoring the length of the delay queue 108 may be used to give a good indication of whether a process is acting like a virus. If the length of the delay queue 108 reaches a threshold, the offending process may be halted, either by stopping networking or by suspending the process itself. A user or administrator can then be contacted.